adds validation for output_file and updates doc

Author: ezebunandu

actions/socket-export-sbom/README.md

@@ -6,10 +6,12 @@ A good use case is including this sbom as part of a public repo's release artifa
 
 ## Inputs
 
-| Name               | Type     | Description                                                                                                                                                                        | Default Value | Required |
-| ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | -------- |
-| `socket_api_token` | `string` | GitHub token used to authenticate with `gh`. Requires permission to query for protected branches and delete branches (`contents: write`) and pull requests (`pull_requests: read`) | `none`        | true     |
-| `output_file`      | `string` | Name of the file to save the socket sbom on the runner.                                                                                                                            | `"spdx.json"` | false    |
+| Name               | Type     | Description                                                                                                                                                                        | Default Value         | Required |
+| ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | -------- |
+| `socket_api_token` | `string` | GitHub token used to authenticate with `gh`. Requires permission to query for protected branches and delete branches (`contents: write`) and pull requests (`pull_requests: read`) | `none`                | true     |
+| `socket_base_url`  | `string` | Base URL of the socket api endpoint.                                                                                                                                               | `"api.socket.dev/v0"` | true     |
+| `socket_org_name`  | `string` | Name of the socket org.                                                                                                                                                            | `"grafana"`           | true     |
+| `output_file`      | `string` | Name of the file to save the socket sbom on the runner.                                                                                                                            | `"spdx.json"`         | false    |
 
 ## Examples
 

actions/socket-export-sbom/action.yml

@@ -14,14 +14,14 @@ inputs:
     required: true
     default: "grafana"
   output_file:
-    description: "Output file path for the SBOM"
+    description: "Name of the file to save the sbom"
     required: false
 
 runs:
   using: "composite"
   steps:
     - name: Setup Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
       with:
         go-version: "1.25.4"
 
@@ -33,13 +33,18 @@ runs:
         echo "name=$REPO_NAME" >> $GITHUB_OUTPUT
 
     - name: Export SPDX SBOM from Socket.dev
-      shell: sh
-      working-directory: ./socket-sbom
+      shell: bash
       env:
         SOCKET_API_TOKEN: ${{ inputs.socket_api_token }}
         SOCKET_BASE_URL: ${{ inputs.socket_base_url }}
         SOCKET_ORG: ${{ inputs.socket_org }}
         REPO_NAME: ${{ steps.repo-name.outputs.name }}
         OUTPUT_FILE: ${{ inputs.output_file }}
+        ACTION_PATH: ${{ github.action_path }}
       run: |
+        # Extract basename if output_file is provided (handles both filenames and paths)
+        if [[ -n "$OUTPUT_FILE" ]]; then
+          OUTPUT_FILE=$(basename "$OUTPUT_FILE")
+        fi
         go run main.go $REPO_NAME $OUTPUT_FILE
+        echo "ACTION_PATH/$OUTPUT_FILE" >> $GITHUB_OUTPUT